Social Engineering

Each day, hackers come up with new and innovative ways to trick individuals into providing personal information. These types of attacks are commonly referred to as social engineering attacks. Social engineering is the tactic of manipulating, influencing, or deceiving a victim to gain control over a computer system or steal personal and financial information. Currently, there are three main types of social engineering attacks.

Phishing

In phishing attacks, hackers send malicious emails with information about a free product, pose as a service you use, or pretend to be a friend trying to get in touch with you. When you click on a link or open an attachment from these emails, malicious files are downloaded to your device, causing it to be held for ransom.

Smishing

SMS phishing, or ‘smishing,’ happens when hackers try to steal your personal details by posing as a trusted person or service via text message. For example, a cybercriminal could pose as a representative from your bank and ask you to click on a link to connect to your bank’s “web page” and verify a recent suspicious charge. Others might ask you to call a customer service number, conveniently included within the text message, regarding a compromised account. Hackers even pose as celebrities or charitable foundations, sending text messages asking for donations to aid with hurricane relief or animal rescues. Once you input your bank information, credit card number, or social security number, the criminal can make fraudulent charges.

Vishing

Vishing is voice or voicemail phishing. This occurs when hackers call your phone number to speak to you or leave voice messages. They claim to be from a reputable company, often mentioning outstanding bills or account emergencies in order to confuse you and ask for personally identifiable information such as bank and credit card information.

Spotting Social Engineering

Click here for lots of tips on how to spot Phishing – social engineering via email.

For Smishing, look at the phone number that sent the text message. Do you recognize it? Sometimes the first few numbers or the country code can reveal that the message is coming from another country. Additionally, many automated texts from institutions like banks are only a few numbers, rather than a full ten-digit phone number. A good general hint is to never click on a link in an SMS, and instead find the link on your computer through official websites.

What about Vishing? Typically, vishers will call from restricted or unrecognizable numbers. If you do not recognize it, let it go to voicemail. Most of the time, vishers will not leave a voicemail, but if they do, you will have more time to determine its legitimacy when you do not feel rushed to answer questions. Vishers often pretend to be calling from a government agency, financial organization, or law enforcement agency. They will usually ask for sensitive information such as social security numbers, mother’s maiden name, or childhood home address.

Staying up to date with current smishing and vishing campaigns can help you be aware of what to watch out for. Click here for information from the Social Security Administration’s website.

Limiting telemarketer calls and messages also reduces the chances of being targeted by phishing, smishing, and vishing. If you do not want to receive calls or texts from telemarketers, you can register your home or mobile phone number for free at:  https://www.donotcall.gov/

If you have any questions about the validity of a text message or voicemail, especially any claiming to be from a member of the Clark University community, contact the ITS Help Desk by emailing helpdesk@clarku.edu or calling 508-793-7745.

Alex MagidOur monthly information security articles are written by Alex Magid, Information Privacy and Compliance Analyst. ITS is proud to announce that Alex was recently nominated as a candidate for Educause’s Board of Directors, and additionally has been awarded a scholarship by the Regulated Research Community of Practice to attend the Educause Cybersecurity and Privacy Professionals Conference.